octo

Sharing

Copy URL

Twitter E-mail

General

Target

com.roomwhatllgp.apk
Size

1.7MB
Sample

230707-j251psfh26
MD5

49f67ec7bcfd5d8b01c1fb92820481f5
SHA1

19bf5e03023516b25bd2d0747773186911bdbf2f
SHA256

2405d448a846ffd6969dee781d02f37d4523b71036ed8e1c414c3afe895560cc
SHA512

ae1f3e3bab47413b456c7c22c465693930099b76cad25e6f8f698e5269c76f3e3e23a05d9b7a460a6b6943ddd73b4a171d77a10bca7d68193e22af0710f1dfd5
SSDEEP

49152:KozkE4BmXs06O2W3m/l1IV9KiaCG0GsBCaEA1l7:Ko4vBmc0TQl6Si9dBCaz1l7

Score

10^/10

Malware Config

Extracted

Family

octo

https://ipscanworldbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldscanbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldbestscan.xyz/NmE0N2YwOWEzMTM3/

https://worldbestscanip.xyz/NmE0N2YwOWEzMTM3/

https://worldbestipscan.xyz/NmE0N2YwOWEzMTM3/

https://worldscanbestip.xyz/NmE0N2YwOWEzMTM3/

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://doublednscheck.xyz/NmE0N2YwOWEzMTM3/

https://dnscheckdouble.xyz/NmE0N2YwOWEzMTM3/

https://checkdoubledns.xyz/NmE0N2YwOWEzMTM3/

https://doublecheckdns.xyz/NmE0N2YwOWEzMTM3/

https://alldnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

AES_key

Targets

- Target
  
  com.roomwhatllgp.apk
- Size
  
  1.7MB
- MD5
  
  49f67ec7bcfd5d8b01c1fb92820481f5
- SHA1
  
  19bf5e03023516b25bd2d0747773186911bdbf2f
- SHA256
  
  2405d448a846ffd6969dee781d02f37d4523b71036ed8e1c414c3afe895560cc
- SHA512
  
  ae1f3e3bab47413b456c7c22c465693930099b76cad25e6f8f698e5269c76f3e3e23a05d9b7a460a6b6943ddd73b4a171d77a10bca7d68193e22af0710f1dfd5
- SSDEEP
  
  49152:KozkE4BmXs06O2W3m/l1IV9KiaCG0GsBCaEA1l7:Ko4vBmc0TQl6Si9dBCaz1l7
Score

10^/10

octo banker evasion infostealer ransomware rat trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2
- Target
  
  style_3_18_1624864847.data
- Size
  
  9KB
- MD5
  
  b30db74d00433ab588159728ffa0e4e7
- SHA1
  
  9cf9965703d072590325aa18d9da427a2def4b1d
- SHA256
  
  076d4ed2efe7bb48b1e78b75b72990b6ea7d9039580a076674c6ee68055bc3c5
- SHA512
  
  0be7b914695a3221be944d9eeab9c6101187ee11069485d60ac783de0a25c1d33a63e29bc62cb6cd88ebbc00e9395bbb4ea87d6647b97e75fe8021aec61e3b2e
- SSDEEP
  
  192:foLmZL6lojXOH03saJsppGVuMIEw44CYiwyqVK5iMWindz:QLULhjXiUJdEErFYwqV4p1
Score

3^/10
behavioral3 behavioral4
- Target
  
  style_4_18_1630315891.data
- Size
  
  14KB
- MD5
  
  f27e11baa71c56fc2de6d55247514579
- SHA1
  
  e6e0558aba360bdd3a69984977afcac79a1e210e
- SHA256
  
  17d856da7c1c6debcc4320e2390001d8373c08d24e32aa0bb0b56256c9708c5c
- SHA512
  
  03c24579bafa845edf46efe7dc37a2e26deead57fa92c288ae555489c32723aa2b5c87925fe73a030806923e777fe41cb82674596ef0121849058ba0412f77ac
- SSDEEP
  
  384:1M0NHs5dgU3jPeqxRNYUgvppiajhRkL73O:a0N+zCWPYUwxnkP3O
Score

3^/10
behavioral5 behavioral6
- Target
  
  style_5_18_1630315937.data
- Size
  
  10KB
- MD5
  
  c9e67eedf9a785e6c0031e617e2f20c8
- SHA1
  
  b3d110df9f595e1b0f1eaf0db18af481dbe006d2
- SHA256
  
  09c164fd19bb3aa6c18033407628d1cd63ac5f51f91928a46b178773809a8220
- SHA512
  
  a8897fa86774c9c2368458abb7158ccaeaf42e3b4d5f93b42ba6d3ba6811d2386fb061dffdb1d963ad5cf3ab7e0b92eddd653c3a1209e02b2638136f00f54065
- SSDEEP
  
  192:dnhGTgakkLJuclPCPGjomsFBotZE0F0zcr4NWfz6OZLD+9fIbMxu9tpkt59qe:dgUakkdTcBo7E0qcr4NWfzzxaGbMwstH
Score

3^/10
behavioral7 behavioral8
- Target
  
  style_6_18_1624866734.data
- Size
  
  17KB
- MD5
  
  eb196931a1167bdce0f9411684583a8a
- SHA1
  
  c19a82b9af2c199717206c0855865585cdded8ed
- SHA256
  
  54ea1930964f62208a0b212af7d3bb319cbebb92d252355873ec7ebddfbe9f9b
- SHA512
  
  2dea61baa641fdbd23c9f9d3ef86a9db2468e25207c54a16cb1ab78781edd7ea950b33d0149ffac184b58082c79a0bad0569f3a292b10028068dfe662fd67027
- SSDEEP
  
  384:PFQ9U8Wr7kOv8wfCPjTR2cSjt3cvWcMP+mo+EiWtyx3bxqv:9CUB7kOvx6/ANWgExMxdqv
Score

3^/10
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10